Malware Injected Directly Into Processes in Angler Exploit Kit Attack

In recent attacks involving the Angler exploit kit, malicious code was injected directly into running processes instead of being written to the disk, a researcher reported on Sunday.

French malware researcher know as "Kafeine" noticed that while the exploits had the same hashes as before, his tools didn't detect the payload and his host-based intrusion prevention system (HIPS) had been bypassed.

At that point the researcher realized that the Angler exploit kit has become capable of infecting hosts by injecting malware into existing processes, in this case the Web browser process. The malware served in the attack analyzed by the researcher was Necurs, a Trojan that can be used to disable security products and download other threats onto infected systems.

"The typical exploitation workflow consists of a user arriving at a landing page that fires multiple exploits (Flash, Reader, Java, etc) which in turn results in a malware payload being downloaded to the user's machine and ran from a specific location, often within the temporary files' folder," Jerome Segura, senior security researcher at Malwarebytes, explained in an email. "These drive-by download attacks leave a physical trace on the victims' machines and various security software (from antivirus/anti-malware to more generic whitelisting anti-executable utilities) can pick that up reasonably well."

"In this new method, an encrypted payload is deobfuscated on the fly using XOR and then loaded straight into an existing process such as iexplore.exe as a new thread. What is so unique about this is the fact that the payload never actually touches the hard-drive. The malware remains active in memory even after the user closes their browser and the only way to completely 'kill' it is to terminate the injected process or restart the computer."

Kafeine has pointed out that this technique not only enables the attackers to bypass security solutions, but it's also ideal for information-stealing malware such as Pony, Andromeda or Jolly Roger, which don't necessarily need to be persistent in order to carry out their tasks. Furthermore, the use of this method enables cybercriminals to gather information on the infected machine before anything is written to the disk, and it makes it more difficult for researchers to obtain the dropper. "This is a powerful move for the attack side," the researcher said in a blog post.

Kafeine told SecurityWeek that shortly after he published his blog post, the attackers once again started writing the malware to the disk, and the reverse proxy placed in front of the command and control (C&C) backend went down. Yesterday, the attackers once again switched to injecting the malicious code into memory and placed a new reverse proxy in front of the C&C.

The expert says it's possible that the attackers are making test runs, an assumption backed up by a line of code used for communications between the bot and the C&C.

Last week, Fox-IT reported that Java.com, TMZ.com, DeviantArt.com, Photobucket.com and several other high-profile websites were affected by a malvertising campaign abusing the services of AppNexus, a company that specializes in real-time online advertising. Fox-IT noted at the time that victims of the attack were redirected to a website hosting Angler. Kafeine told SecurityWeek that the variant he analyzed has been seen in the AppNexus malvertising campaign.

"We don't know yet if this new method is going to go completely mainstream and start appearing in other exploit kits. However it does raise the difficultly level for security analysts to identify and process such payloads," Segura told SecurityWeek. "In order to be able to share samples that can be studied, one would have to extract them from memory using specific tools or directly attempt to decode the bytes as they go through the wire, something that can be more difficult given that attackers could keep changing the encryption technique they use."

"As far as detection goes, we have identified programs that rely on whitelisting techniques that are completely bypassed and oblivious to the infection. These types of programs are typically used in schools or libraries to forbid users from running unauthorized executables. As far as other popular end point security such as antivirus this is probably going to still be the same cat-and-mouse game where the bad guys usually have a short time frame to unleash their payload without being detected," Segura added.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.